protected IssueInstantRule issueInstantRule() { return new IssueInstantRule(clockSkew, newExpires); }
protected MessageReplayRule messageReplayRule() { return new MessageReplayRule(replayCache()); }
@Override public void getSecurityPolicy(List<SecurityPolicyRule> securityPolicy, SAMLMessageContext samlContext) { SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); }
HttpServletRequest request = requestAdapter.getWrappedRequest(); if (!ruleHandles(request, samlMsgCtx)) { log.debug("Rule can not handle this request, skipping processing"); return; byte[] signature = getSignature(request); if (signature == null || signature.length == 0) { log.debug("HTTP request was not signed via simple signature mechanism, skipping"); String sigAlg = getSignatureAlgorithm(request); if (DatatypeHelper.isEmpty(sigAlg)) { log.warn("Signature algorithm could not be extracted from request, can not validate simple signature"); byte[] signedContent = getSignedContent(request); if (signedContent == null || signedContent.length == 0) { log.warn("Signed content could not be extracted from HTTP request, can not validate"); doEvaluate(signature, signedContent, sigAlg, request, samlMsgCtx);
SAMLMessageContext samlMsgCtx) throws SecurityPolicyException { List<Credential> candidateCredentials = getRequestCredentials(request, samlMsgCtx); log.debug("Attempting to validate SAML protocol message simple signature using context issuer: {}", contextIssuer); CriteriaSet criteriaSet = buildCriteriaSet(contextIssuer, samlMsgCtx); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.info("Validation of request simple signature succeeded"); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) { String derivedIssuer = deriveSignerEntityID(samlMsgCtx); if (derivedIssuer != null) { log.debug("Attempting to validate SAML protocol message simple signature using derived issuer: {}", derivedIssuer); CriteriaSet criteriaSet = buildCriteriaSet(derivedIssuer, samlMsgCtx); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.info("Validation of request simple signature succeeded"); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) {
/** {@inheritDoc} */ public void evaluate(MessageContext messageContext) throws SecurityPolicyException { if (!(messageContext instanceof SAMLMessageContext)) { log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext"); return; } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; SAMLObject samlMsg = samlMsgCtx.getInboundSAMLMessage(); if (!(samlMsg instanceof SignableSAMLObject)) { log.debug("Extracted SAML message was not a SignableSAMLObject, can not process signature"); return; } SignableSAMLObject signableObject = (SignableSAMLObject) samlMsg; if (!signableObject.isSigned()) { log.info("SAML protocol message was not signed, skipping XML signature processing"); return; } Signature signature = signableObject.getSignature(); performPreValidation(signature); doEvaluate(signature, signableObject, samlMsgCtx); }
/** * Perform pre-validation on the Signature token. * * @param signature the signature to evaluate * @throws SecurityPolicyException thrown if the signature element fails pre-validation */ protected void performPreValidation(Signature signature) throws SecurityPolicyException { if (getSignaturePrevalidator() != null) { try { getSignaturePrevalidator().validate(signature); } catch (ValidationException e) { log.debug("Protocol message signature failed signature pre-validation", e); throw new SecurityPolicyException("Protocol message signature failed signature pre-validation", e); } } } }
CriteriaSet criteriaSet, List<Credential> candidateCredentials) throws SecurityPolicyException { SignatureTrustEngine engine = getTrustEngine();
msgType); if (evaluate(signature, contextIssuer, samlMsgCtx)) { log.info("Validation of protocol message signature succeeded, message type: {}", msgType); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) {
@Bean @Autowired public SAMLMessageHandler samlMessageHandler(@Value("${idp.clock_skew}") int clockSkew, @Value("${idp.expires}") int expires, @Value("${idp.base_url}") String idpBaseUrl, @Value("${idp.compare_endpoints}") boolean compareEndpoints, IdpConfiguration idpConfiguration, JKSKeyManager keyManager) throws XMLParserException, URISyntaxException { StaticBasicParserPool parserPool = new StaticBasicParserPool(); BasicSecurityPolicy securityPolicy = new BasicSecurityPolicy(); securityPolicy.getPolicyRules().addAll(Arrays.asList(new IssueInstantRule(clockSkew, expires))); HTTPRedirectDeflateDecoder httpRedirectDeflateDecoder = new HTTPRedirectDeflateDecoder(parserPool); HTTPPostDecoder httpPostDecoder = new HTTPPostDecoder(parserPool); if (!compareEndpoints) { URIComparator noopComparator = (uri1, uri2) -> true; httpPostDecoder.setURIComparator(noopComparator); httpRedirectDeflateDecoder.setURIComparator(noopComparator); } parserPool.initialize(); HTTPPostSimpleSignEncoder httpPostSimpleSignEncoder = new HTTPPostSimpleSignEncoder(VelocityFactory.getEngine(), "/templates/saml2-post-simplesign-binding.vm", true); return new SAMLMessageHandler( keyManager, Arrays.asList(httpRedirectDeflateDecoder, httpPostDecoder), httpPostSimpleSignEncoder, new StaticSecurityPolicyResolver(securityPolicy), idpConfiguration, idpBaseUrl); }
@Override public void getSecurityPolicy(List<SecurityPolicyRule> securityPolicy, SAMLMessageContext samlContext) { SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); }
@Override public void getSecurityPolicy(List<SecurityPolicyRule> securityPolicy, SAMLMessageContext samlContext) { SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); securityPolicy.add(new SAML2HTTPRedirectDeflateSignatureRule(engine)); securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); }
@Override public void getSecurityPolicy(List<SecurityPolicyRule> securityPolicy, SAMLMessageContext samlContext) { SignatureTrustEngine engine = samlContext.getLocalTrustEngine(); securityPolicy.add(new SAML2HTTPPostSimpleSignRule(engine, parserPool, engine.getKeyInfoResolver())); securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine)); }